🇺🇦 Niall C. Brady 🇺🇦

Killer feature ? Here's another Windows 365 article from myself and Paul, this time using Windows 365 Cloud PCs via a USB-C connected iPhone, check it out > windows-noob.com/forums/topic/2… #windows365 #MSIntune @Brinkhoff_C @ConfigMgrDogs @SCCMentor

New blog post - PowerShell Is King – Download ESD and Flip It to WIM deploymentbunny.com/2026/05/25/pow… via @mikael_nystrom @Truesec

Unfortunate timing with everyone pushing BIOS updates to cater for the secure boot issue, but if you’re updating HP devices, be aware of issues being reported - theregister.com/personal-tech/… #SecureBook #BIOSUpdates #MSIntune #HP

Hi there! 👋 Prajwal Desai here, bringing you @RecastSoftware 🌐 roundup of Endpoint Management news 📰 from Microsoft and the community for May 2026 🗓️. recastsoftware.com/resources/reca… #msintune #msentra #copilot #windows11 #ConfigMgr #community #newsletter #recast #endpointmgmt #sccm

Microsoft updates mitigation guidance for Windows BitLocker security feature bypass vulnerability with a NEW script! The updated guidance replaces previously documented manual mitigation steps with a script that helps reduce exposure while a future security update is developed to address this vulnerability. The Windows versions below are affected: - Windows 11 26H1 - Windows 11 25H2 - Windows 11 24H2 - Windows Server 2025 Windows devices that use BitLocker may be exposed to this vulnerability if mitigations are not applied. Organizational environments that previously implemented the documented manual mitigation steps do not need to take additional action, as the script only simplifies deployment of the existing mitigation. Learn more: msrc.microsoft.com/update-guide/v… #Microsoft #Windows #Bitlocker #Cybersecurity

Do future you a favor: If you ignore this problem, future you will be trying to figure out why devices are online but no longer manageable. Present you still has a little bit of time to avoid the catastrophe. June is sooner than you think. Check your environment now. Start a free trial and get ahead of it ➡️ bit.ly/48yuUbX #SecureBoot #CyberSecurity #Intune

Rubio says that US-led peace negotiations between Russia and Ukraine "were not fruitful." Not fruitful? ​Let’s look at the facts: your negotiators visited Russia seven times, and Ukraine zero times. You demanded concessions from Ukraine before negotiations even began, and throughout the entire process. You pressured Ukraine by cutting off weapons support entirely, constantly badmouthing us, and showing up at our doorstep waving Russian "peace plan" you demanded we sign immediately. ​And now, after Ukraine stands more firmly on its feet without your support, you realize you can't pressure us anymore. So your excuse is that you are tired and leaving? ​How about, for once, you actually support the victim, which is Ukraine instead of terrorist Russian regime? Send your team to Kyiv, support our fight, and apply real pressure on aggressor. Sanction Russia and seize their shadow fleet instead of handing out sanction waivers. Do that, and maybe negotiations will magically become "fruitful."

Per Microsoft Message Center: Intune down for maintenance. Don't think I've ever seen a message about Intune being down.

Manual Update of the Secure Boot Platform Key in Virtual Machines Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including KEK. knowledge.broadcom.com/external/artic… #Broadcom #VMware #SecureBoot #Certificates #WinServ

Updated guidance on BitLocker + Yellowkey - again, now with a script to configure the workaround. Time to test it out! msrc.microsoft.com/update-guide/v… #MSintune #Windows11

Required Win32 Apps and the 60-minute delay (Part 2) We have all seen this issue showing up after a device is enrolled with Autopilot or when we publish a new App It could take up to 60 minutes for the IME to start installing the Win32App. Pressing Sync in Intune feels like the obvious fix, but that only wakes up the MDM policy side of Windows.  It does not directly instruct IME to resume processing Win32 apps. So I kept investigating the IME.... What if we stop waiting for the next cycle and give IME the nudge ourselves? That turned into a small app that can kickstart the required app check-in from IME itself.  The same idea can also be used for a PowerShell remediation. No reboot. No service restart. Just triggering asking the IME nicely.... patchmypc.com/blog/why-do-re… #Intune #MSIntune #Patchmypc #WindowsAutopilot

Green reports don't always mean you're covered 👀 Most #Intune certs renew. Some won't, and you may not know which devices are impacted until problems show up later. Join @Mister_MDM @EskimoRuler and @byteben tomorrow at 9am MT to uncover hidden gaps and validate coverage. Save your seat 👉 bit.ly/3PtbCON #MSIntune #ITCommunity #PatchMyPC

Ever looked inside C:\Windows\System32\SecureBootUpdates? 11 files. This is where Windows stores every binary payload the scheduled task uses to write certificates to your firmware. Each file maps to a specific bit in the AvailableUpdates registry bitmask. The 83MB cabinet file at the top is Microsoft's device confidence database with 1.5 million device records that determines which devices get auto-deployed and which need manual triggering. If this folder is empty or missing on a device, certificate deployment cannot work regardless of what registry value you set. Check your machines. Register here: docs.kaidojarvemets.com/training/secur… #SecureBoot #UEFI #Windows #CyberSecurity #Firmware

Updated guidance on BitLocker - Yellowkey TPM+PIN is always a good idea, bad from user perspective but mitigated many vulnerabilities. msrc.microsoft.com/update-guide/v…

Microsoft released 7 signed PowerShell scripts for enterprise Secure Boot certificate rollout. Solutions that complete what Microsoft started: docs.kaidojarvemets.com/solutions #SecureBoot #PowerShell #SCCM #Intune

IT teams can now enable specific user groups to provision their own Windows 365 Reserve Cloud PC—reducing the need for manual IT provisioning while maintaining full governance. Now in public preview. Read the blog: msft.it/6012vpRma

ICMYI Microsoft announced a general purpose Linux distribution today. Not just for AKS. For VMs and WSL first. Based on Fedora.

@ncbrady Read the Garlin thread on ElevenForum.com. The same T570 has been discussed there. elevenforum.com/t/garlins-powe…

@EdTittel thanks mine is sorted now with the powershell from @miketerrill but i'll take a look anyway :-)

Q: What are you guys doing with older hardware that runs Windows 11 today but is outside of scope of getting a bios update new enough for the Secure Boot certificate problem ? An example, my Lenovo T570 laptop, it works just fine but... the bios date is 3/28/2024 (early 2017).

Under the Hood of the Intune Certificate The Intune certificate matters more than most people think. That Certificate keeps the policy sync alive and is also needed for IME communication, which means apps and scripts depend on it as well. But when the certificate or its chain breaks, things can get funny. The device can still show a recent last check-in, while it is no longer able to receive the latest policies, apps, or scripts. In this webinar, we will explain what the Intune MDM device certificate does, what changed with the Intune Intermediate certificate renewal, why some devices may have missed it, and how to find devices that still appear healthy but may not be. But hey, it is all fine because the last check-in still moved… right? Register here: patchmypc.com/events/intune-… #Intune #MSIntune

@manelrodero @miketerrill @gwblok look under reports, windows autopatch, windows quality updates, reports, secure boot status.

@miketerrill @ncbrady @gwblok I'm going to take a good look at this thread because there's some very interesting information in that slide ;-) However, I can't seem to find that "Secure Boot" report under "Endpoint Security" in Intune. And our tenant has A3 and A5 licenses. I don't understand it.